Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Securing Your ASP.NET Application Presented by: Rob Bagby Developer Evangelist Microsoft [email protected] (email) http://www.robbagby.com (blog) Session Agenda Security Overview / Basics ASP.NET Security Architecture Authentication Authorization Input Validation Database Sensitive Data Security Overview Defense-In-Depth Security – The concept that many layers of security is better than one layer. Threat Modeling Threat Modeling Process Structured approach to: Evaluate security threats Identify countermeasures DREAD helps rate risk Damage potential Reproducibility Exploitability Affected users 1. Identify Assets 2. Create an Architectural Overview 3. Decompose the Application 4. Identify the Threats 5. Document the Threats 6. Rate the Threats Discoverability More information in MSDN Patterns and Practices http://msdn.microsoft.com/library/enus/dnnetsec/html/ThreatCounter.asp Session Agenda Security Overview / Basics ASP.NET Security Architecture Authentication Authorization Input Validation Database Sensitive Data ASP.NET Architecture - Overview ASP.NET Architecture - Gatekeepers Gatekeepers – The authorization points within an ASP.NET application that are provided by: IIS ASP.NET IIS Permits requests from users that it can authenticate (with anonymous turned off) Uses NTFS permissions to perform access control ASP.NET Architecture - Gatekeepers ASP.NET – has 2 gatekeepers UrlAuthorizationModule Configure <authorization> elements in Web.Config to configure access Based on IPrincipal (stored in HttpContext.User) FileAuthorizationModule For file types mapped to the ASP.NET ISAPI ext. Access checks done using the authenticated users token Could be the anonymous account ASP.NET Architecture - Gatekeepers ASP.NET Architecture (Principal Permission Demands) Declarative [PrincipalPermission(SecurityAction.Demand, Role=@"DomainName\WindowsGroup)] Imperative PrincipalPermission permCheck = new PrincipalPermission( null, @"DomainName\ WindowsGroup"); permCheck.Demand(); Session Agenda Security Overview / Basics ASP.NET Security Architecture Authentication Authorization Input Validation Database Sensitive Data Authentication The process by which a user is uniquely identified, given his/her credentials. Authentication Options Windows w/ impersonation Windows w/o impersonation Forms Passport Authentication - Windows (Overview) Operating system authenticates user Requires valid windows account Transparent access to resources WindowsIdentity WindowsIdentity widentity = WindowsIdentity.GetCurrent(); IIdentity iidentity = WindowsIdentity.GetCurrent(); Authentication - Windows (w/ Impersonation) Configuration <authentication mode=“Windows” /> <identity impersonate=“true” /> Advantages ACLs for Resources accessed by your app. Flow caller’s identity to middle tier Disadvantages Reduced scalability – database pooling Requires windows account for each user Increased administration Authentication - Windows (w/o Impersonation) Configuration <authentication mode=“Windows” /> <identity impersonate=“false” /> (or no identity ele.) Advantages ACLs for Client Requested Resources URL Authorization <authorization> <deny user=“DomainName\UserName” /> <allow roles=“DomainName\WindowsgroupName” /> </authorization> Disadvantages Requires windows account for each user Increased administration Authentication - Forms Configuration <authentication mode=“Forms”> <forms loginUrl=“login.aspx” name=“AuthCookie” timeout=“60” path=“/” /> </authentication> Advantages No Windows accounts required Firewall friendly Disadvantages You have to implement / write Authentication - Passport Configuration <authentication mode=“Passport” /> Advantages Single sign-on Disadvantages Non-trivial to implement Session Agenda Security Overview / Basics ASP.NET Security Architecture Authentication Authorization Input Validation Database Sensitive Data Authorization The Process By which The System Validates That The Authenticated User Has Access To Resources Or Has Privileges To Perform Certain Operations. Options Depend upon Authentication type Windows w/ impersonation Windows w/o impersonation Forms Passport Authorization - Windows (w/ Impersonation) Behaviors ACLs Client Requested Resources: Original Caller’s token Resources Accessed by Application: Original Caller’s token URL Authorization: Original Caller’s Group or User <authorization> <deny user=“DomainName\UserName” /> <allow roles=“DomainName\WindowsgroupName” /> </authorization> Authorization - Windows (w/o Impersonation) Behaviors ACLs Client Requested Resources: Original Caller’s token Resources Accessed by Application: ASP.NET process identity URL Authorization: Original Caller’s Group or User <authorization> <deny user=“DomainName\UserName” /> <allow roles=“DomainName\WindowsgroupName” /> </authorization> Authorization - Forms Behaviors ACLs Client Requested Resources: ACLs must allow read access to anonymous Internet user account File Authorization not available Resources Accessed by Application: ASP.NET process identity URL Authorization: Determined by custom data store. Sql example: <authorization> <deny user=“?” /> <allow roles=“RoleName, RoleName1” /> </authorization> Authorization cont. (Role-Based) .NET Role-Based Options Declarative Demands With PrincipalPermissionAttribute (1 Role) [PrincipalPermissionAttribute(SecurityAction.Demand, Role=“MyRole”)] Imperative Demands Using PrincipalPermission Object (Multiple) public void MyMethod { PrincipalPermission perm = New PrincipalPermission(null, “MyRole”); perm.Demand(); } Role Checks With IsInRole (Multiple) Principal.IsInRole(“MyRole”); Custom Authentication Role Checks string[] roles = new string[] {“MyRole”, “MyRole1”}; IPrincipal principal = new GenericPrincipal(identity, roles); principal.IsInRole(“MyRole”); Authorization cont. (Guidelines) Defense-In-Depth Approach Granular Roles Declarative Demands, Where Possible Use IsInRole If You Need to Check > 1 Role Membership ASP.NET Forms Authentication demo Session Agenda Security Overview / Basics ASP.NET Security Architecture Authentication Authorization Input Validation Database Sensitive Data Input Validation Assume all input is malicious Centralize your approach Do not rely on client-side validation Be careful with canonicalization issues Constrain, reject, and sanitize your input Session Agenda Security Overview / Basics ASP.NET Security Architecture Authentication Authorization Input Validation Database Sensitive Data Database Use Stored Procedures Grant Access Only To Stored Procedures Parameterize Queries, When SPs Not Possible Use Least-Privileged Account Approach Protect Connection Strings As Secrets Hash Passwords Encrypt Sensitive Data Session Agenda Security Overview / Basics ASP.NET Security Architecture Authentication Authorization Input Validation Database Sensitive Data Sensitive Data Hashing – Practically Impossible To Reverse Encryption – Can Only Decrypt With Encryption Key DPAPI – Data Protection API Sensitive Data Cont. I want to… Recommendation Store a user password securely Salt + SHA1 (One-way hash) Prepend random salt to the passwords before hashing to defend against off-line dictionary attacks. Advantages No keys to manage. Limitations Identical input yields identical hash values. Must store a salt to ensure unique cipher text for identical values. Sensitive Data Cont. I want to… Recommendation Store a user password securely Salt + SHA1 (One-way hash) Prepend random salt to the passwords before hashing to defend against off-line dictionary attacks. No keys to manage. DPAPI (Encryption using keys derived from user credentials) DPAPI manages keys on behalf of the application. Protect local user data Advantages Limitations Identical input yields identical hash values. Must store a salt to ensure unique cipher text for identical values. Data can’t be decrypted by other users, or on other machines. Sensitive Data Cont. I want to… Recommendation Store a user password securely Salt + SHA1 (One-way hash) Prepend random salt to the passwords before hashing to defend against off-line dictionary attacks. No keys to manage. Protect local user data DPAPI (Encryption using keys derived from user credentials) DPAPI manages keys on behalf of the application. Encrypt data that will need to decrypted later Symmetric encryption Flexible: data can algorithms (e.g. Rijndael) be decrypted by other apps / machines that have the key. Advantages Limitations Identical input yields identical hash values. Must store a salt to ensure unique cipher text for identical values. Data can’t be decrypted by other users, or on other machines. Application must manage keys and transmit them securely. Wrap-up & Questions … Rob Bagby Developer Evangelist Microsoft [email protected] (email) http://www.robbagby.com (blog)